Scammed for $5000 for Omega Speedmaster watch

jetkins · Mar 8, 2018

U ulackfocus
And when that site is hacked and ALL of your accounts are compromised?

Nosir. Services like LastPass (my personal favorite) encrypt your password vault at the endpoint (your PC, Mac, or smartphone) using AES-256 and a passphrase known only to you, before pushing it to their cloud servers. So if they were hacked, all the attackers would get would be the email address you used to sign up, and your encrypted password vault. Heck, even if the gummint demanded that they hand over your data, all they could provide would be the encrypted vault since they do not know - nor want to know - your master password.

AES-256 is approved by Uncle Sam for protection of documents classified up to and including TOP SECRET, so it's probably more than sufficient for plebs like us. At current state-of-the-art computation speeds, it would take longer than the universe has been in existence to exhaust the entire AES-256 keyspace in a brute force attack, and one would hope that you might have changed your passwords by then!

eugeneandresson · Mar 8, 2018

This is alarming.

Meme-Dweller · Mar 8, 2018

jetkins
Nosir. Services like LastPass (my personal favorite) encrypt your password vault at the endpoint (your PC, Mac, or smartphone) using AES-256 and a passphrase known only to you, before pushing it to their cloud servers. So if they were hacked, all the attackers would get would be the email address you used to sign up, and your encrypted password vault. Heck, even if the gummint demanded that they hand over your data, all they could provide would be the encrypted vault since they do not know - nor want to know - your master password.

AES-256 is approved by Uncle Sam for protection of documents classified up to and including TOP SECRET, so it's probably more than sufficient for plebs like us. At current state-of-the-art computation speeds, it would take longer than the universe has been in existence to exhaust the entire AES-256 keyspace in a brute force attack, and one would hope that you might have changed your passwords by then!

That only works if everything is implemented correctly. If they get the decryption key, it's game over.

teojjsg · Mar 8, 2018

I feel for you OP. Hopefully you do get something back.

Seaman · Mar 8, 2018

Sorry for your loss and in my opinion the police is the only one who can do something. Maybe the account where you sent the money wasn't on a fake name and they can track a real person..Or if the account was on a fake name they can get some pictures with the person who withdraw the money from the ATM..etc.

nima0071 · Mar 8, 2018

wow that is crazy. I am sorry what happened. I did send him "hacker" a message to buy the watch as well,

Screen Shot 2018-03-08 at 4.02.08 AM.png

thank god he did not responded back.

dan7800 · Mar 8, 2018

Great read, but obviously very very unfortunate. There are several forum members who I have grown to trust and feel very confident in wiring them money for a purchase. However, let this be a lesson to all of us and use extra methods of authentication to be sure we are speaking to who we think we are.

Screwbacks · Mar 8, 2018

Rockmastermike
OF membership - my account has been hacked and I am "selling" watches - this is not me!!
working with mod to get it straightened out.
someone using my longstanding reputation in the community for their advantage
I have changed pw here and pretty much everywhere else
Sincerely
Mike

im thinking if any member had noticed your name and your post immediately that you are selling a watch, the buyer could have been forewarned.

Bernardino · Mar 8, 2018

Seaman
Sorry for your lose and in my opinion the police is the only one who can do something. Maybe the account where you sent the money wasn't on a fake name and they can track a real person..Or if the account was on a fake name they can get some pictures with the person who withdraw the money from the ATM..etc.

I don’t know how US banking works but would of thought that if the receiving account has been opened fraudulently then the bank could or should be liable.

If the bank account is genuine then the account holder has committed fraud.

kov · Mar 8, 2018

Bernardino
I don’t know how US banking works but would of thought that if the receiving account has been opened fraudulently then the bank could or should be liable.

If the bank account is genuine then the account holder has committed fraud.

Yes, this is very true and OP’s luck is that both accounts are in the same bank so the case should be handled by the internal legal team and has better chances to be solved faster. Fingers crossed.

Kmart · Mar 8, 2018

nima0071
wow that is crazy. I am sorry what happened. I did send him "hacker" a message to buy the watch as well,

thank god he did not responded back.

You dodged a bullet there! Ballsy move offering $4600 when the price was already so low. Did the price being so far below market seriously not raise any red flags for anybody who reached out to the scammer?? I guess it was just high enough not to arouse too much suspicion.

Reddy_Kilowatt · Mar 8, 2018

Kmart
You dodged a bullet there! Ballsy move offering $4600 when the price was already so low. Did the price being so far below market seriously not raise any red flags for anybody who reached out to the scammer?? I guess it was just high enough not to arouse too much suspicion.

Is it really that much below market? You can buy grey for $6500 or a touch less. Some dude on WUS has had one listed used @ $6k for many months. $5000 seemed like it was about right.

rcs914 · Mar 8, 2018

dsio
Or just make it something memorable but long:

So for example @ulackfocus might have as his password MulletSpeedmasterStanleyCup - three things he will never be associated with but that combine to make a difficult password to guess or brute force yet easy for him to remember.

At one time this would have worked, but it no longer is good information. Password cracking based on dictionary words has progressed significantly, and the above password, or one similar to it, would probably take less than 2 minutes to break now.

https://www.pentestpartners.com/sec...batterystaple-isnt-a-good-password-heres-why/

bonerp · Mar 8, 2018

From what I've gathered this was due to account take over (on here) so how the hell can you avoid the same pitfall with other sellers?! Everything could look legit through to sending the money then no watch comes.....
as I've asked on another thread can escrow services be introduced?
I hope the git can be found but....

Meme-Dweller · Mar 8, 2018

bonerp
From what I've gathered this was due to account take over (on here) so how the hell can you avoid the same pitfall with other sellers?! Everything could look legit through to sending the money then no watch comes.....
as I've asked on another thread can escrow services be introduced?
I hope the git can be found but....

1) Buy the seller
2) Use recoverable funds only (PayPal, Credit Card, etc.)

Reddy_Kilowatt · Mar 8, 2018

Meme-Dweller
1) Buy the seller
2) Use recoverable funds only (PayPal, Credit Card, etc.)

I'm pretty sure that 1) is part of the problem here. OP thought he was buying a credible seller. Without an independent way to verify that you're actually talking to the seller, it's a bit risky. Frankly, that leaves pretty much any private seller as a risk. At least with most or all of the grays, there's a website, and IG or FB page, or some other way to verify contact information.

micampe · Mar 8, 2018

Meme-Dweller
That only works if everything is implemented correctly. If they get the decryption key, it's game over.

The decryption key is your password, it’s only stored in your head: pick a single good one and remember only that, same as recycling it on many websites like everyone does (don’t lie) but far more secure.

People are always quick to find faults in password managers, but pointing out faults without offering an alternative is useless and the real world has proven a million times that no one has found a better solution yet.

OMGRLX · Mar 8, 2018

I think the key moral of this story here is if something is offered at a too-good-to-be-true price, that's exactly what it is.
Btw, FYI, there's a big scam going on eBay right now where a hacker is apparently getting into old, established seller accounts and offering old Rolex at $1100 a pop. They'e recycling few same old pics every time. They're not very clever. The key is not to be fooled by the super low price, even if offered by what seems to be a legit seller account/profile.

WatchVaultNYC · Mar 8, 2018

OMG this is nasty. OP - so sorry for what happened to you.

I have separate computers, phone numbers, addresses, and banks for which I use solely for business, which limits my exposure to getting phished out of my login information in the first place, but still not perfect.

Meme-Dweller · Mar 8, 2018

micampe
The decryption key is your password, it’s only stored in your head: pick a single good one and remember only that, same as recycling it on many websites like everyone does (don’t lie) but far more secure.

People are always quick to find faults in password managers, but pointing out faults without offering an alternative is useless and the real world has proven a million times that no one has found a better solution yet.

No, the password is just a hash.

Scammed for $5000 for Omega Speedmaster watch

jetkins

eugeneandresson

Meme-Dweller

teojjsg

Seaman

nima0071

dan7800

Screwbacks

Bernardino

kov

Kmart

Reddy_Kilowatt

rcs914

bonerp

Meme-Dweller

Reddy_Kilowatt

micampe

OMGRLX

WatchVaultNYC

Meme-Dweller

Similar threads

Looking for Omega Speedmaster watch band 1964

1x pusher for Omega Speedmaster 105.012

Question about Crown for Omega Speedmaster Calendar - Ref No. 2849-1 SC

Forstner Flat Link Bracelet fully brushed finish for Omega Speedmaster FOIS/CK2998 (19mm end links)

20mm Forstner 1450 President Bracelet for Omega Speedmaster 3861

20 mm Artem Sailcloth for Omega Speedmaster and OEM Omega Buckle